SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

Similar documents
Towards Deployment of a Next- Generation Secure Internet Architecture

Verified Secure Routing

SCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

2 The SCION Architecture

SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich

Certificate reputation. Dorottya Papp

Browser Trust Models: Past, Present and Future

Certificateless Public Key Cryptography

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

But where'd that extra "s" come from, and what does it mean?

Key Management and Distribution

Public Key Infrastructure

Apple Inc. Certification Authority Certification Practice Statement

Security Fundamentals

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Public Key Infrastructures. Using PKC to solve network security problems

Apple Inc. Certification Authority Certification Practice Statement

PROVING WHO YOU ARE TLS & THE PKI

Using Cryptography CMSC 414. October 16, 2017

CT30A8800 Secured communications

SCION: Scalability, Control and Isolation On Next-Generation Networks

Digital Certificates Demystified

Perspectives: Improving SSH-style authentication using multi-path probing

Cryptography and Network Security Chapter 14

KEY DISTRIBUTION AND USER AUTHENTICATION

WAVE: A Decentralized Authorization Framework with Transitive Delegation

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Chapter 9: Key Management

Trust Infrastructure of SSL

Server-based Certificate Validation Protocol

Introducción al RPKI (Resource Public Key Infrastructure)

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Public Key Infrastructures

Network Security Essentials

1. CyberCIEGE Advanced VPNs

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Efficient and Secure Source Authentication for Multicast

Public-key Cryptography: Theory and Practice

Institutionen för datavetenskap Department of Computer and Information Science

Internet Kill Switches Demystified

Lecture Notes 14 : Public-Key Infrastructure

Overview. SSL Cryptography Overview CHAPTER 1

Attacks on the Internet Trust Fabric

Key Agreement Schemes

Some Lessons Learned from Designing the Resource PKI

Lecture Embedded System Security Trusted Platform Module

arxiv: v2 [cs.cr] 1 Feb 2016

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Not ACID, not BASE, but SALT A Transaction Processing Perspective on Blockchains

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

CONIKS: Bringing Key Transparency to End Users

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

A Survey of BGP Security: Issues and Solutions

The SafeNet Security System Version 3 Overview

IRP - the Identity Registration Protocol L AW R E N C E E. HUGHES CO- F O U N D E R AND C TO S I X S CAPE C O M M U N I C ATIONS, P TE. LTD.

Send documentation comments to

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

FPKIPA CPWG Antecedent, In-Person Task Group

UNIT - IV Cryptographic Hash Function 31.1

Privacy based Public Key Infrastructure (PKI) using Smart Contract in Blockchain Technology

Cryptography and Network Security

Nigori: Storing Secrets in the Cloud. Ben Laurie

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

Public-key Infrastructure Options and choices

T Cryptography and Data Security

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Introduction to Cryptography Lecture 10

Considerations for using short-term certificates

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

CSE 565 Computer Security Fall 2018

Configuring Certificate Authorities and Digital Certificates

Information Security CS 526

Deliverable D8.4 Certificate Transparency Log v2.0 Production Service

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Lecture 15 Public Key Distribution (certification)

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Crypto meets Web Security: Certificates and SSL/TLS

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Who s Protecting Your Keys? August 2018

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

Decentralized Internet Resource Trust Infrastructure

Security Digital Certificate Manager

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

CS Certificates, part 2. Prof. Clarkson Spring 2017

Routing Security Security Solutions

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

Public Key Infrastructures

A Composite Trust based Public Key Management in MANETs

1) Revision history Revision 0 (Oct 29, 2008) First revision (r0)

SAML-Based SSO Solution

Transcription:

SCION: PKI Overview Adrian Perrig Network Security Group, ETH Zürich

PKI Concepts: Brief Introduction PKI: Public-Key Infrastructure Purpose of PKI: enable authentication of an entity Various types of entities Autonomous System (AS): ISP, university, corporation Router Service Web site Important terms Certificate: binds entity identifier to a cryptographic key Root of trust: Axiomatically trusted key to start authentication Certification Authority (CA): trusted entity that issues certificates 2

Desired PKI Properties Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 3

Overview Control-plane PKI DRKey End-entity PKI Name-resolution PKI 4

Control-Plane PKI Control plane: System to determine and disseminate end-toend paths Inter-domain control plane in current Internet: BGP + ICMP + support protocols Control-plane PKI mainly provides AS certificates to enable AS authentication Main requirement: high availability Needs to work without reliance on availability of communication to PKI servers (to avoid cyclic dependency between routing and PKI operation) 5

Approach for Trust Scalability: Isolation Domains Observation: subset of the Internet can agree on roots of trust form Isolation Domain (ISD) with those particular roots of trust Authenticate entities within each ISD Users & domains can select ISD based on root of trust Also supports modern log-based PKI approaches: CT, ARPKI, Challenge: retain global verifiability 6

Trust Root Configuration () Each SCION ISD defines trust roots in a Trust roots for three PKIs Control-plane PKI: core AS certificates End-entity PKI: root CA and log server certificates Name-resolution PKI: root name server certificate Trust agility: hosts select they want to use for verification s enable efficient updating of trust roots distribution is tied to path exploration and resolution 7

Sample Control-plane PKI roots End-entity PKI root CAs End-entity PKI Logs Name-resolution PKI Cross-signatures 8

Cross Signatures I J T U C A B E K L M V W X Y Z F D G H N Q O P S A D B E C R 9

ISD-to-ISD Verification verification of other ISDs follows core paths Additional cross-signatures are possible (dashed blue arrows) Important property: each core segment provides a verification chain 10

Update New is signed by quorum of trust roots defined in previous K M Also cross-signed by L neighboring ISDs version is announced in PCB, ASes fetch if they do not already have it Result: entire ISD rapidly obtains new with new trust roots N Q O R P S 11

AS Certificates Each AS obtains certificate signed by a core AS Problem: AS certificate revocation check can introduce cyclic dependency between control plane and PKI operation Solution: use short-lived certificates for non-core ASes, valid for up to 3 days Core AS certificate can be revoked through update Any AS can certify any other AS through chain of cross-signed s and by verifying core AS signatures Certificate distribution is tied to path exploration and resolution 12

External ISD AS Certificate Verification I J A C B E K L M V T W U X Y Z F D G H N Q O P S A D B E C Cert E R 13

Desired PKI Properties: SCION CP-PKI Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 14

Dynamically Recreatable Key (DRKey) AS certificates (authenticated through s) can be used to bootstrap authentication and secrecy Unfortunately, asymmetric-key cryptography is quite slow and would not work well for the following cases: A router needs to send an authenticated error message to a remote AS An end host needs to encrypt a secret value for each router on a path Goals Enable rapid establishment of a shared secret key between any two entities Routers can derive per-host secret key efficiently without any per-as or per-host state 15

DRKey: Deriving AS-to-AS Symmetric Keys Idea: use a per-as secret value to derive keys through an efficient Pseudo-Random Function (PRF) Example: AS X creates a key for AS Y using X s secret value SVX KX Y = PRFSVx ( Y ) Intel AESni instructions enable PRF computation within 50 cycles. Key computation can be faster than in-memory key lookup! Any entity in AS X knowing secret value SVX can derive KX * Example: router inside AS X can derive KX Y on-the-fly AS Y can fetch KX Y from AS X through a secure channel set up based on AS certificates 16

Overview Control-plane PKI DRKey End-entity PKI Name-resolution PKI 17

Roots of Trust in Current Internet OS / browser CA certificate store: roots of trust of TLS PKI [Oligopoly model] OS / Browser certificate Observation: Browser and OS manufacturer control roots of trust, thus their update keys become most fundamental root of trust [Monopoly model] CA certificates Interesting question: how to become a root CA? Pay ~$50 000 to two major browser vendors to add new root CA certificate, Domain certificates others will follow suit 18

PKI Properties: TLS PKI Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 19

Improvement: Certificate Transparency Google has leveraged market leader position to improve security of TLS PKI ecosystem (Chrome browser market share in May 2017: ~60%) Certificate Transparency: public log servers that create public ledger on which certificates are valid If a certificate does not appear on any ledger, it is invalid Google has made CA compliance with CT mandatory by October 2017 20

PKI Properties: Certificate Transparency Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 21

Goal: Increase Security of TLS PKI Observation: for man-in-the-middle attack, adversary creates new bogus certificate Basic idea: cross-validate TLS certificate by multiple parties Perspectives [Wendlandt et al. 2008] Network of Notary servers record certificates from multiple vantage points Browser contacts a random subset of notaries CT [Laurie et al. 2012], Sovereign keys [Eckersley 2012] Public ledger containing all valid certificates ARPKI [Basin et al. 2014] PoliCert [Szałachowski et al. 2014] 22

SCION End-Entity PKI: ARPKI + PoliCert Subject certificate policy (SCP): policy that all of a domain s certificates need to adhere to Multi-signature certificate (MSC): domain certificate signed by multiple entities + signed by SCP Observation: Domain s Subject Certificate Policy (SCP) changes infrequently invest more effort to secure it SCP registration: 23

SCION End-Entity PKI: ARPKI + PoliCert contains: Trust roots of CAs and log servers Threshold for number of signatures required for SCP SCP defines domain-specific policy List of trusted CAs Threshold for number of signatures required for MSC Hard fail or soft fail in case MSC parameter violation 24

Security of SCION End-Entity PKI Consider domain D has an SCP and MSC registered in ISD with A Important property: any client that uses A as its root of trust can be assured that at least a threshold number of trusted entities defined in A must be malicious in order to forge an SCP or MSC Therefore, any client that obtains an SCP or MSC defined by a other than A, needs to obtain a proof of absence that there s no SCP in the end-entity PKI defined by A 25

PKI Properties: End-Entity PKI Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 26

What about DNSSEC-based PKI? DANE: DNSSEC entry also contains domains certificate Problems All entities on the verification chain need to be trusted system only as secure as the weakest link Kill switch: revocation of a key invalidates all child entries 27

PKI Properties: DANE Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 28

SCION Name-Resolution PKI Double verification path: All delegations in name resolution process are signed, each step is verified Domain entry is also signed by SCP Advantages Name-resolution PKI used for availability SCP used for high security 29

PKI Properties: Name-Resolution PKI Trust scalability: support heterogenous trust relationships Transparency Possible to enumerate trust roots Accountability of all PKI operations Resilient to trust root compromise Quick recovery from trust root compromise Trust control / agility Entities can select which trust roots they need to rely upon Hosts can select trust roots for verification 30

Summary SCION integrates three innovative PKI systems Control-plane PKI High availability with simple operation provides trust root transparency, control, and easy updatability DRKey provides highly efficient and scalable symmetric key derivation End-entity PKI High security: requiring several trusted entities to collude to create bogus certificate First PKI where domain can limit the set of trust roots for the certification of its certificate Name-resolution PKI DNSSEC-style PKI only used for availability End-entity PKI used for high security 31

For More Information please see our web page: www.scion-architecture.net Chapter 4 of our book SCION: A secure Internet Architecture Available from Springer this Summer 2017 PDF available on our web site Following presentations Control-plane PKI DRKey End-entity PKI Name-resolution PKI ISD coordination 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback